I have installed nginx (openresty/1.13.6.2) as a reverse proxy for different services including Grafana (works well for over a year now).
Now I wanted to serve PDF documents via nginx, so that I can create links from Grafana dashboard to documentation for operations teams. I am on a Windows 10 box (can't change this) and I am not able to successfully serve the static PDF files via nginx. I have some experience in setting up nginx as reverse proxy, or html webserver on linux boxes (have done this several times), but on Windows now I am facing issues. Whenever I try to access/download the files via http I get a "403 Forbidden" issue. nginx runs as a service - user "SYSTEM"
I have tried to set the permissions on the folder to the same user of nginx, but nginx is running anyway as "SYSTEM" user under windows, so it should have full access to the folder. I have checked Access denied to Nginx folder with folders and files not being created but it seems to be an upstream service issue.
The autoindex works, it shows the list of available PDF files, but whenever I click on a file, I end up with the error.
Following snippet shows my nginx config
server {
listen 8080 ssl;
server_name localhost;
ssl_certificate certificates\TEST.pem;
ssl_certificate_key certificates\TEST.key;
location /grafana/ {
....
proxy_pass http://127.0.0.1:3000/;
}
location /public/doc/ {
autoindex on;
include mime.types;
autoindex_format html;
}
}
In windows PDF files are located under ./html/public/doc under the nginx directory.
This is the log entry in error.log:
[error] 547220#547264: *320 CreateFile() "./html/public/doc/document.pdf" failed (5: Access is denied), client: xx.xx.xx.xx, server: localhost, request: "GET /public/doc/document.pdf HTTP/1.1"
I would like to get the PDF files "downloadble" but I get access denied to the files.
After the comments I edited the server block, to contain the root directory (absolute Path):
server {
listen 8080 ssl;
server_name localhost;
root D:\software\nginx\html;
ssl_certificate certificates\TEST.pem;
ssl_certificate_key certificates\TEST.key;
location /grafana/ {
....
proxy_pass http://127.0.0.1:3000/;
}
location /public/doc/ {
autoindex on;
include mime.types;
autoindex_format html;
}
}
Further update:
I updated the server block to:
server {
listen 8080 ssl;
server_name localhost;
root "D:/software/nginx/html";
ssl_certificate certificates\TEST.pem;
ssl_certificate_key certificates\TEST.key;
location /grafana/ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass http://127.0.0.1:3000/;
}
location /public/doc {
alias "D:/software/nginx/html/public/doc";
autoindex on;
include mime.types;
autoindex_format html;
}
location /public/images {
rewrite ^/public/images/(.*) /$1 break;
root "D:/data/images";
add_header Cache-Control public;
add_header Cache-Control must-revalidate;
expires 1s;
}
}
And I am getting now the error with the correct path to the file:
[error] 1628392#1627684: *14 CreateFile() "D:/software/nginx/html/public/doc/Test.pdf" failed (5: Access is denied), client: xx.xx.xx.xx, server: localhost, request: "GET /public/doc/Tausch_QR_Cam.pdf HTTP/1.1", host: "xx.xx.x.x:8080", referrer: "https://xx.xx.x.x:8080/public/doc/"
The directory listing in "public/doc" works, grafana works, and the image download works as well, still not able to access the PDF files :(
Update:
Apparently nginx was running under "SYSTEM" account. I thought this account has access to everything. Even changing ownership of directory/files from "admin" to "SYSTEM" didn't help.
What helped: changing user for the nginx service from "SYSTEM" to "admin" like below (german version). I don't exactly know why, but now it works (Files owned by "SYSTEM", "admin" has full access, nginx runs under "admin" account).
So the issue is solved, even if I don't know if solved correctly.
